Experts Urge IT Due Diligence Despite No May 7 Attacks

NCUA Public Affairs Specialist John Fairbanks said Wednesday that the agency had not received any reports of credit unions being hit with the threatened May 7 attacks.

Likewise, targeted credit unions reported no ill effects on Tuesday.

Despite the threats being more bark than bite, Brian McGinley, CEO of IDT911 Consulting, a Scottsdale, Ariz.-based data risk management firm that has approximately 30 credit union clients, said the inclusion of credit unions on the May 7 Anonymous target list should serve as a wake-up call for institutions of all sizes.

Credit unions should initiate meetings with IT service providers to hammer out what communication and technical plans would be implemented were an attack to occur, and what to expect in terms of service levels, he said.

“And, when you’re talking about large providers serving hundreds or thousands of clients, if there is an attack, somebody needs to ask who would get priority in getting back up online,” he said.

Any credit union – even those not targeted by hackers – could suffer what he called “collateral damage” if they share service providers with an institution hit by a DDoS attack.

“That’s really the key message of why these attacks are different,” he said. “Since most credit unions use a third party IT supplier, the attack, per se, goes through the provider to hit them.”

When a DDoS attack floods a website with traffic, he explained, that traffic goes through switches that may be shared by hundreds of institutions, and all could feel the effects.

Although the attacks so far have been targeted at online banking programs, McGinley said they could extend to platforms that support teller terminals, systems that open new accounts or those that process loans, he said, because they are delivered through web services.

Cloud distribution could also be subject to disruption, he added.

Corporate credit unions weren’t listed a potential victims. However, Scott Hunt, the NCUA’s director of the Office of National Examinations and Supervision, emailed a letter to corporate credit unions on Tuesday providing information regarding the attacks and instructing corporates what they should do if they are attacked.

In the letter, Hunt said the main May 7 anticipated attack vectors included not just DDoS, but also Structured Query Language injection and cross-site scripting.

DDoS attacks could peak at approximately 30 gigabits per second, and could be globally attributed, “with anticipated network spikes of up to 9 Gbps originating from Indonesian Class C Internet Protocol Address space,” his letter said.

Hunt told corporates the FBI recommends DDoS mitigation techniques should include limiting the number of sessions from each IPA, reducing connection timeout wait time and analyzing infrastructure with publically available vulnerability scanning tools and patching that include the latest application and security updates.

“An effective configuration/patch management process provides a substantial defense to exploitive hacker tactics like SQLi and XSS and is foundational to an effective information security program intended to assure the safety and soundness of insured institutions,” Hunt said in the letter.

The chief examiner of all corporate credit unions and natural person credit unions with more than $10 billion in assets further told the corporates should they experience any significant cyber-attack activity, they should notify their NCUA district examiner and state regulator, if applicable.

“The will allow NCUA to take necessary steps to ensure appropriate defensive actions are taken at other credit unions,” he said.

Fairbanks confirmed that no corporates were targeted by Anonymous for May 7, but said because all financial institutions are subject to cyber threats and fraudulent attempts to break in, the regulator “remains diligent in reviewing security controls at credit unions.”